Tweak some settings for better Prometheus metrics access.

[mattmoyer]

These are essentially the changes documented in kube-prometheus-on-kubeadm.md. They enable Prometheus running in Kubernetes to scrape container-level metrics from each Kubelet (authenticating with a ServiceAccount token) and to scrape metrics from kube-controller-manager and kube-scheduler (anonymously).

These have some tradeoffs that we should discuss. The kube-controller-manager and kube-scheduler --address changes mean that they will expose metrics over these endpoints to the whole cluster.

These metrics aren't super sensitive but they do give away some context about where the cluster is running, the versions of the components, and some high level picture of what's running in the cluster. I think this is acceptable for most use cases where the Quick Start is appropriate today.

There is recent work upstream (kubernetes/kubernetes#59582) that will add authentication options for these endpoints.

Update

I dropped the --address changes and left only the Kubelet authentication flag change.

[detiber]

I don't see any issues with the changes to enable the kubelet metrics endpoint out of the box, but I think I would prefer if we held off on the changes to support the Controller Manager and Scheduler until auth support is in place.

[detiber]

Opening up the metrics endpoints without authentication for these makes me a bit uneasy. I think I would prefer if we held off on these updates until the auth changes land upstream.

[mattmoyer]

That's fine. I took this change out and left only the kubelet change for now.

[mattmoyer]

@detiber updated, PTAL.

[detiber]

lgtm